AzureAD · sruke · Mar 24, 2025 · Feb 20, 2025 · Mar 6, 2025 · Mar 14, 2025
@@ -86,16 +86,15 @@
   </PropertyGroup>
 
   <PropertyGroup Label="Common dependency versions">
-    <MicrosoftIdentityModelVersion Condition="'$(MicrosoftIdentityModelVersion)' == ''">8.6.1</MicrosoftIdentityModelVersion>
-    <MicrosoftIdentityClientVersion Condition="'$(MicrosoftIdentityClientVersion)' == ''">4.69.1</MicrosoftIdentityClientVersion>
+    <MicrosoftIdentityModelVersion Condition="'$(MicrosoftIdentityModelVersion)' == ''">8.7.0</MicrosoftIdentityModelVersion>
+    <MicrosoftIdentityClientVersion Condition="'$(MicrosoftIdentityClientVersion)' == ''">4.70.0</MicrosoftIdentityClientVersion>
     <FxCopAnalyzersVersion>3.3.0</FxCopAnalyzersVersion>
     <SystemTextEncodingsWebVersion>4.7.2</SystemTextEncodingsWebVersion>
     <AzureSecurityKeyVaultSecretsVersion>4.6.0</AzureSecurityKeyVaultSecretsVersion>
     <AzureIdentityVersion>1.11.4</AzureIdentityVersion>
     <AzureSecurityKeyVaultCertificatesVersion>4.6.0</AzureSecurityKeyVaultCertificatesVersion>
     <MicrosoftGraphVersion>4.36.0</MicrosoftGraphVersion>
     <MicrosoftGraphBetaVersion>4.57.0-preview</MicrosoftGraphBetaVersion>
-    <MicrosoftExtensionsHttpVersion>3.1.3</MicrosoftExtensionsHttpVersion>
     <MicrosoftIdentityAbstractionsVersion>8.2.0</MicrosoftIdentityAbstractionsVersion>
     <!--CVE-2024-43485-->
     <SystemTextJsonVersion>8.0.5</SystemTextJsonVersion>
@@ -173,6 +172,7 @@
     <MicrosoftExtensionsCachingMemoryVersion>6.0.2</MicrosoftExtensionsCachingMemoryVersion>
     <!-- Microsoft.Extensions.* 5.* are obsoleted -->
     <MicrosoftExtensionsHostingVersion>6.0.0</MicrosoftExtensionsHostingVersion>
+    <MicrosoftExtensionsHttpVersion>3.1.3</MicrosoftExtensionsHttpVersion>
     <MicrosoftAspNetCoreDataProtectionVersion>6.0.0</MicrosoftAspNetCoreDataProtectionVersion>
     <SystemSecurityCryptographyPkcsVersion>7.0.2</SystemSecurityCryptographyPkcsVersion>
     <SystemSecurityCryptographyXmlVersion>6.0.1</SystemSecurityCryptographyXmlVersion>
@@ -196,6 +196,7 @@
     <MicrosoftExtensionsLoggingVersion>4.7.1</MicrosoftExtensionsLoggingVersion>
     <MicrosoftExtensionsCachingMemoryVersion>2.1.0</MicrosoftExtensionsCachingMemoryVersion>
     <MicrosoftExtensionsHostingVersion>2.1.1</MicrosoftExtensionsHostingVersion>
+    <MicrosoftExtensionsHttpVersion>3.1.3</MicrosoftExtensionsHttpVersion>
     <MicrosoftExtensionsLoggingVersion>2.1.0</MicrosoftExtensionsLoggingVersion>
     <MicrosoftExtensionsDependencyInjectionVersion>2.1.0</MicrosoftExtensionsDependencyInjectionVersion>
     <MicrosoftExtensionsConfigurationBinderVersion>2.2.4</MicrosoftExtensionsConfigurationBinderVersion>

@@ -1,3 +1,11 @@
+3.8.1
+========
+### New features
+- Updated to Microsoft.IdentityModel.* [8.7.0](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/releases/tag/8.7.0)
+
+### Bug fixes
+- Pins Microsoft.Extensions.Http dependency version to 3.1.3 for .NET Framework and .NET Standard and uses inbox version for .NET Core. See [#3145](https://github.com/AzureAD/microsoft-identity-web/issues/3145).
+
 3.8.0
 ========
 ### New feature

@@ -29,7 +29,6 @@
     <PackageReference Include="Microsoft.IdentityModel.Logging" Version="$(MicrosoftIdentityModelVersion)" />
     <PackageReference Include="Microsoft.IdentityModel.Validators" Version="$(MicrosoftIdentityModelVersion)" />
     <PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="$(MicrosoftIdentityModelVersion)" />
-    <PackageReference Include="Microsoft.Extensions.Http" Version="$(MicrosoftExtensionsHttpVersion)" />
     <PackageReference Include="Microsoft.AspNet.Mvc" Version="5.2.7" />
     <PackageReference Include="Microsoft.AspNet.Web.Optimization" Version="1.1.3" />
     <PackageReference Include="Microsoft.AspNet.WebApi" Version="5.2.7" />
@@ -40,6 +39,10 @@
     <PackageReference Include="Newtonsoft.Json" Version="13.0.1" />
   </ItemGroup>
 
+  <ItemGroup Condition="'$(TargetFrameworkIdentifier)' != '.NETCoreApp'">
+    <PackageReference Include="Microsoft.Extensions.Http" Version="$(MicrosoftExtensionsHttpVersion)" />
+  </ItemGroup>
+
   <ItemGroup>
     <ProjectReference Include="..\Microsoft.Identity.Web.TokenAcquisition\Microsoft.Identity.Web.TokenAcquisition.csproj" />
   </ItemGroup>

@@ -0,0 +1,43 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System.Collections.Generic;
+using Microsoft.Identity.Client.AuthScheme;
+using Microsoft.Identity.Client;
+using Microsoft.IdentityModel.Tokens;
+
+namespace Microsoft.Identity.Web
+{
+    internal class AtPopOperation : IAuthenticationOperation
+    {
+        private readonly string _reqCnf;
+
+        public AtPopOperation(string keyId, string reqCnf)
+        {
+            KeyId = keyId;
+            _reqCnf = reqCnf;
+        }
+
+        public int TelemetryTokenType => 4; // as per TelemetryTokenTypeConstants
+
+        public string AuthorizationHeaderPrefix => "Bearer"; // these tokens go over bearer
+
+        public string KeyId { get; }
+
+        public string AccessTokenType => "pop"; // eSTS returns token_type=pop and MSAL needs to know
+
+        public void FormatResult(AuthenticationResult authenticationResult)
+        {
+            // no-op, adding the SHR is done by the caller
+        }
+
+        public IReadOnlyDictionary<string, string> GetTokenRequestParams()
+        {
+            return new Dictionary<string, string>()
+            {
+                {"req_cnf", Base64UrlEncoder.Encode(_reqCnf) },
+                {"token_type", "pop" }
+            };
+        }
+    }
+}
@@ -35,10 +35,13 @@
     <PackageReference Include="Microsoft.IdentityModel.Logging" Version="$(MicrosoftIdentityModelVersion)" />
     <PackageReference Include="Microsoft.IdentityModel.LoggingExtensions" Version="$(MicrosoftIdentityModelVersion)" />
     <PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="$(MicrosoftIdentityModelVersion)" />
-    <PackageReference Include="Microsoft.Extensions.Http" Version="$(MicrosoftExtensionsHttpVersion)" />
     <PackageReference Include="Microsoft.Identity.Abstractions" Version="$(MicrosoftIdentityAbstractionsVersion)" />
   </ItemGroup>
 
+  <ItemGroup Condition="'$(TargetFrameworkIdentifier)' != '.NETCoreApp'">
+    <PackageReference Include="Microsoft.Extensions.Http" Version="$(MicrosoftExtensionsHttpVersion)" />
+  </ItemGroup>
+
   <ItemGroup>
     <ProjectReference Include="..\Microsoft.Identity.Web.Certificateless\Microsoft.Identity.Web.Certificateless.csproj" />
     <ProjectReference Include="..\Microsoft.Identity.Web.Certificate\Microsoft.Identity.Web.Certificate.csproj" />

@@ -1,85 +1,27 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
-using System;
-using System.Collections.Generic;
-using System.IdentityModel.Tokens.Jwt;
-using System.Security.Cryptography.X509Certificates;
-using System.Threading.Tasks;
 using Microsoft.Identity.Client;
 using Microsoft.Identity.Client.Extensibility;
-using Microsoft.IdentityModel.JsonWebTokens;
-using Microsoft.IdentityModel.Tokens;
 
 namespace Microsoft.Identity.Web
 {
     internal static class MsAuth10AtPop
     {
         internal static AcquireTokenForClientParameterBuilder WithAtPop(
             this AcquireTokenForClientParameterBuilder builder,
-            X509Certificate2 clientCertificate,
             string popPublicKey,
-            string jwkClaim,
-            string clientId,
-            bool sendX5C)
+            string jwkClaim)
         {
-            _ = Throws.IfNull(popPublicKey);
-            _ = Throws.IfNull(jwkClaim);
+            _ = Throws.IfNullOrWhitespace(popPublicKey);
+            _ = Throws.IfNullOrWhitespace(jwkClaim);
 
-            builder.WithProofOfPosessionKeyId(popPublicKey);
-            builder.OnBeforeTokenRequest((data) =>
-             {
-                 string? signedAssertion = GetSignedClientAssertion(
-                     clientCertificate,
-                     data.RequestUri.AbsoluteUri,
-                     jwkClaim,
-                     clientId, 
-                     sendX5C);
-
-                 data.BodyParameters.Remove("client_assertion");
-                 data.BodyParameters.Add("request", signedAssertion);
-
-                 return Task.CompletedTask;
-             });
-
-            return builder;
-        }
-
-        private static string? GetSignedClientAssertion(
-            X509Certificate2 certificate,
-            string audience,
-            string jwkClaim,
-            string clientId,
-            bool sendX5C)
-        {
-            // no need to add exp, nbf as JsonWebTokenHandler will add them by default
-            var claims = new Dictionary<string, object>()
-            {
-                { "aud", audience },
-                { "iss", clientId },
-                { "jti", Guid.NewGuid().ToString() },
-                { "sub", clientId },
-                { "pop_jwk", jwkClaim }
-            };
-
-            var signingCredentials = new X509SigningCredentials(certificate);
-            var securityTokenDescriptor = new SecurityTokenDescriptor
-            { 
-                Claims = claims,
-                SigningCredentials = signingCredentials
-            };
-
-            if (sendX5C)
+            AtPopOperation op = new AtPopOperation(popPublicKey, jwkClaim);
+            builder.WithAuthenticationExtension(new MsalAuthenticationExtension()
             {
-                string x5cValue = Convert.ToBase64String(certificate.GetRawCertData());
-                securityTokenDescriptor.AdditionalHeaderClaims = 
-                    new Dictionary<string, object>() { { "x5c", new List<string> { x5cValue } } };
-            }
-
-            JsonWebTokenHandler tokenHandler = new JsonWebTokenHandler();
-            string token = tokenHandler.CreateToken(securityTokenDescriptor);
-
-            return token;
+                AuthenticationOperation = op
+            });
+            return builder;
         }
     }
 }
@@ -0,0 +1,9 @@
+Microsoft.Identity.Web.AtPopOperation
+Microsoft.Identity.Web.AtPopOperation.AccessTokenType.get -> string!
+Microsoft.Identity.Web.AtPopOperation.AtPopOperation(string! keyId, string! reqCnf) -> void
+Microsoft.Identity.Web.AtPopOperation.AuthorizationHeaderPrefix.get -> string!
+Microsoft.Identity.Web.AtPopOperation.FormatResult(Microsoft.Identity.Client.AuthenticationResult! authenticationResult) -> void
+Microsoft.Identity.Web.AtPopOperation.GetTokenRequestParams() -> System.Collections.Generic.IReadOnlyDictionary<string!, string!>!
+Microsoft.Identity.Web.AtPopOperation.KeyId.get -> string!
+Microsoft.Identity.Web.AtPopOperation.TelemetryTokenType.get -> int
+static Microsoft.Identity.Web.MsAuth10AtPop.WithAtPop(this Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder! builder, string! popPublicKey, string! jwkClaim) -> Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder!
@@ -0,0 +1,9 @@
+Microsoft.Identity.Web.AtPopOperation
+Microsoft.Identity.Web.AtPopOperation.AccessTokenType.get -> string!
+Microsoft.Identity.Web.AtPopOperation.AtPopOperation(string! keyId, string! reqCnf) -> void
+Microsoft.Identity.Web.AtPopOperation.AuthorizationHeaderPrefix.get -> string!
+Microsoft.Identity.Web.AtPopOperation.FormatResult(Microsoft.Identity.Client.AuthenticationResult! authenticationResult) -> void
+Microsoft.Identity.Web.AtPopOperation.GetTokenRequestParams() -> System.Collections.Generic.IReadOnlyDictionary<string!, string!>!
+Microsoft.Identity.Web.AtPopOperation.KeyId.get -> string!
+Microsoft.Identity.Web.AtPopOperation.TelemetryTokenType.get -> int
+static Microsoft.Identity.Web.MsAuth10AtPop.WithAtPop(this Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder! builder, string! popPublicKey, string! jwkClaim) -> Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder!
@@ -0,0 +1,9 @@
+Microsoft.Identity.Web.AtPopOperation
+Microsoft.Identity.Web.AtPopOperation.AccessTokenType.get -> string!
+Microsoft.Identity.Web.AtPopOperation.AtPopOperation(string! keyId, string! reqCnf) -> void
+Microsoft.Identity.Web.AtPopOperation.AuthorizationHeaderPrefix.get -> string!
+Microsoft.Identity.Web.AtPopOperation.FormatResult(Microsoft.Identity.Client.AuthenticationResult! authenticationResult) -> void
+Microsoft.Identity.Web.AtPopOperation.GetTokenRequestParams() -> System.Collections.Generic.IReadOnlyDictionary<string!, string!>!
+Microsoft.Identity.Web.AtPopOperation.KeyId.get -> string!
+Microsoft.Identity.Web.AtPopOperation.TelemetryTokenType.get -> int
+static Microsoft.Identity.Web.MsAuth10AtPop.WithAtPop(this Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder! builder, string! popPublicKey, string! jwkClaim) -> Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder!
@@ -0,0 +1,9 @@
+Microsoft.Identity.Web.AtPopOperation
+Microsoft.Identity.Web.AtPopOperation.AccessTokenType.get -> string!
+Microsoft.Identity.Web.AtPopOperation.AtPopOperation(string! keyId, string! reqCnf) -> void
+Microsoft.Identity.Web.AtPopOperation.AuthorizationHeaderPrefix.get -> string!
+Microsoft.Identity.Web.AtPopOperation.FormatResult(Microsoft.Identity.Client.AuthenticationResult! authenticationResult) -> void
+Microsoft.Identity.Web.AtPopOperation.GetTokenRequestParams() -> System.Collections.Generic.IReadOnlyDictionary<string!, string!>!
+Microsoft.Identity.Web.AtPopOperation.KeyId.get -> string!
+Microsoft.Identity.Web.AtPopOperation.TelemetryTokenType.get -> int
+static Microsoft.Identity.Web.MsAuth10AtPop.WithAtPop(this Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder! builder, string! popPublicKey, string! jwkClaim) -> Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder!
@@ -0,0 +1,9 @@
+Microsoft.Identity.Web.AtPopOperation
+Microsoft.Identity.Web.AtPopOperation.AccessTokenType.get -> string!
+Microsoft.Identity.Web.AtPopOperation.AtPopOperation(string! keyId, string! reqCnf) -> void
+Microsoft.Identity.Web.AtPopOperation.AuthorizationHeaderPrefix.get -> string!
+Microsoft.Identity.Web.AtPopOperation.FormatResult(Microsoft.Identity.Client.AuthenticationResult! authenticationResult) -> void
+Microsoft.Identity.Web.AtPopOperation.GetTokenRequestParams() -> System.Collections.Generic.IReadOnlyDictionary<string!, string!>!
+Microsoft.Identity.Web.AtPopOperation.KeyId.get -> string!
+Microsoft.Identity.Web.AtPopOperation.TelemetryTokenType.get -> int
+static Microsoft.Identity.Web.MsAuth10AtPop.WithAtPop(this Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder! builder, string! popPublicKey, string! jwkClaim) -> Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder!
@@ -0,0 +1,9 @@
+Microsoft.Identity.Web.AtPopOperation
+Microsoft.Identity.Web.AtPopOperation.AccessTokenType.get -> string!
+Microsoft.Identity.Web.AtPopOperation.AtPopOperation(string! keyId, string! reqCnf) -> void
+Microsoft.Identity.Web.AtPopOperation.AuthorizationHeaderPrefix.get -> string!
+Microsoft.Identity.Web.AtPopOperation.FormatResult(Microsoft.Identity.Client.AuthenticationResult! authenticationResult) -> void
+Microsoft.Identity.Web.AtPopOperation.GetTokenRequestParams() -> System.Collections.Generic.IReadOnlyDictionary<string!, string!>!
+Microsoft.Identity.Web.AtPopOperation.KeyId.get -> string!
+Microsoft.Identity.Web.AtPopOperation.TelemetryTokenType.get -> int
+static Microsoft.Identity.Web.MsAuth10AtPop.WithAtPop(this Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder! builder, string! popPublicKey, string! jwkClaim) -> Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder!
@@ -0,0 +1,9 @@
+Microsoft.Identity.Web.AtPopOperation
+Microsoft.Identity.Web.AtPopOperation.AccessTokenType.get -> string!
+Microsoft.Identity.Web.AtPopOperation.AtPopOperation(string! keyId, string! reqCnf) -> void
+Microsoft.Identity.Web.AtPopOperation.AuthorizationHeaderPrefix.get -> string!
+Microsoft.Identity.Web.AtPopOperation.FormatResult(Microsoft.Identity.Client.AuthenticationResult! authenticationResult) -> void
+Microsoft.Identity.Web.AtPopOperation.GetTokenRequestParams() -> System.Collections.Generic.IReadOnlyDictionary<string!, string!>!
+Microsoft.Identity.Web.AtPopOperation.KeyId.get -> string!
+Microsoft.Identity.Web.AtPopOperation.TelemetryTokenType.get -> int
+static Microsoft.Identity.Web.MsAuth10AtPop.WithAtPop(this Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder! builder, string! popPublicKey, string! jwkClaim) -> Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder!
@@ -589,11 +589,8 @@ public async Task<AuthenticationResult> GetAuthenticationResultForAppAsync(
                         }
 
                         builder.WithAtPop(
-                            application.AppConfig.ClientCredentialCertificate,
-                            tokenAcquisitionOptions.PopPublicKey!,
-                            tokenAcquisitionOptions.PopClaim!,
-                            application.AppConfig.ClientId,
-                            mergedOptions.SendX5C);
+                           tokenAcquisitionOptions.PopPublicKey!,
+                           tokenAcquisitionOptions.PopClaim!);
                     }
                 }
             }

@@ -25,11 +25,14 @@
     <PackageReference Include="Microsoft.IdentityModel.Validators" Version="$(MicrosoftIdentityModelVersion)" />
     <PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="$(MicrosoftIdentityModelVersion)" />
     <PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="$(MicrosoftIdentityModelVersion)" />
-    <PackageReference Include="Microsoft.Extensions.Http" Version="$(MicrosoftExtensionsHttpVersion)" />
     <PackageReference Include="System.Text.Json" Version="$(SystemTextJsonVersion)" />
     <PackageReference Include="System.Formats.Asn1" Version="$(SystemFormatsAsn1Version)" />
   </ItemGroup>
-
+
+  <ItemGroup Condition="'$(TargetFrameworkIdentifier)' != '.NETCoreApp'">
+    <PackageReference Include="Microsoft.Extensions.Http" Version="$(MicrosoftExtensionsHttpVersion)" />
+  </ItemGroup>
+
   <ItemGroup Condition="'$(TargetFrameworkIdentifier)' == '.NETFramework' Or '$(TargetFramework)' == 'netstandard2.0'">
     <Compile Remove="*.cs" />
     <Compile Remove="AppServicesAuth\**" />